www.ernw.de

Reflections on Vulnerability DisclosureCase Studies & Ethical Dilemmas

by Enno Rey [erey@ernw.de]

at ACM SigComm2015Workshop on Ethics in Networked Systems Research

www.ernw.de

Who Am I ¬ Researcher in the field of network devices and protocols.

¬ Founder (2001) and head of a (40+ employee) company providing security assessment & vulnerability research services.

¬ Regularly involved in vulnerability disclosure procedures

And increasingly facing ethical dilemmas in the course of those.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #2

www.ernw.de

Relevant Discussions ¬ Google’s Project Zero:http://googleprojectzero.blogspot.de/2015/02/feedback-and-data-driven-updates-to.html

¬ CERT/CC Approach:http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm

¬ WEIS Paper [2006]: http://weis2006.econinfosec.org/docs/17.pdf

¬ Statement by Bruce Schneier [2007]: https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #3

www.ernw.de

Why We Do Security Research ¬ Develop our capabilities/skills and our

methodology when tackling certain tasks.

¬ Contribute to public security knowledge & discussion. Helps to increase the visibility of our expertise.

¬ Simply because security research is fun ;-)

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #4

www.ernw.de

Who’s Paying The Bill?

¬ US: Research we “just do on our own” without a specific customer context because we think it’s important to look at the security

properties of some class of devices or because we’re curious as for the real-life implementation of protocols etc.

¬ US/THEM: Research that is somewhat related to/sponsored by a customer security assessment project with an agreement along the lines of: “while you [customer] pay n man-days for the assessment, we’re willing to spend much more effort for a certain

component, if you’re ok with us sharing the results with the public

thereafter”.

¬ THEM: Research projects we’re engaged for in a dedicated manner. The main property being that the engaging party fully owns

the intellectual property from the project.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #5

www.ernw.de

Vulnerability Disclosure ¬ Full Disclosure Tell everybody.

¬ Responsible Disclosure Tell vendor (of a product).

¬ Other Tell broker. Tell some 3rd party, usually for $$. Don't tell anybody. Etc.

Variants, from perspective of "audience" in the early stages of process.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #6

www.ernw.de

Rain Forest Puppy Policy / RFPolicy

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #7

www.ernw.de

Slightly Modified Terminology

¬ “finder”: individual or organization that identifies a potential vulnerability in a product or online service

¬ “vendor”: individual or organization that developed the product or service or is responsible for maintaining it.

¬ “remediation”: patch, fix, upgrade, configuration, or documentation change to either remove or mitigate a vulnerability.

Along the lines of: ISO/IEC 29147:2014 Information technology — Security techniques — Vulnerability disclosure

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #8

www.ernw.de

Simplest Case¬ The finder who has discovered a

vulnerability which she now reports

¬ to the vendor who receives the information,

¬ in order to provide remediation, which in turn benefits all users using the product/software in question.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #9

www.ernw.de

Outcome¬ Contribute to the education of the

parties involved/affected and thereby help to achieve an overall higher state of security for everybody.

¬ Let’s designate this objective as:[OBJ_L_PUBLIC_CULTURE]

L = long-term

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #10

www.ernw.de

Further Assumptions ¬ At the time of reporting no patch is available.

¬ The vendor actually takes care of remediation.

¬ It can be deployed everywhere where needed, without too much delay.

¬ The people involved/users affected are well-informed, willing to deploy the remediation and capable/enabled to do so.

Let’s call themstakeholders.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #11

www.ernw.de

Implications of Our Policy ¬ We always got into direct contact with the

vendors.

¬ We never went through through brokering organizations.

¬ We never asked for or received any financial compensation.

¬ We have never sold any vulnerability information to a 3rd party.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #12

www.ernw.de

The exception proves the rule.

#nootherchoice #epicvendorfail

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #13

www.ernw.de

Legal Blur

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #14

www.ernw.de

It becomes increasingly difficult, mainly for these reasons…

¬ A growing number of vendors out there operates with outspoken or elusive legal threats in the course of the procedure.

¬ The Wassenaar Arrangement (WA).

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #15

www.ernw.de

Implications of WassenaarArrangement ¬ Might have severe implications with regard

to the way vulnerability disclosure takes place “across borders”.

¬ Is PoC code covered by the 2nd controlled class of software as of the agreement?

¬ Further discussion: Sergey Bratus:

http://www.cs.dartmouth.edu/~sergey/drafts/wassenaar-public-comment.pdf

“Regs — Discussions on Wassenaar” mailing list established by Arrigo Triulzi

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #16

www.ernw.de

New Stakeholders in Town

Vulnerability Disclosure

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #17

www.ernw.de

Main Differences ¬ There’s another group of stakeholders involved which are not part of the previous, “traditional” picture, but who are heavily affected when driving their car, when being treated by means of

network-connected medical devices, when using some piece of technology in their household or even using pieces of technology to protect this very sphere etc.

¬ The vulnerabilities might have a direct impact on their health or on their personal property as opposed to the somewhat anonymous assets of enterprise

organizations or vendors depicted in the classic RFPolicy.

¬ At the same time the affected users might be completely unaware of the vulnerabilities.

¬ Even if they knew, due to the specific nature of certain components/devices it might just not be technically possible or feasible to apply the remediation.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #18

www.ernw.de

A Recent Example

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #19

www.ernw.de

More Case Studieshttps://www.insinuator.net/2014/03/how-to-own-a-router-fritzbox-avm-vulnerability-analysis/

https://www.insinuator.net/2015/05/analysis-of-an-alarm-system-part-23/

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #20

www.ernw.de

Another Main Objective¬ These aspects induce another main objective

(of vulnerability handling), to be designated as follows:

[OBJ_S_PUBLIC_PREV_HARM]

Scope: Protect public from harm against their lives, health or economic situation in the short-term.

S = short-term

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #21

www.ernw.de

The Key Question Identifying this objective evidently brings up an interesting question:

¬ How to proceed once the now two main objectives (of vulnerability [non-] disclosure), that are [OBJ_L_PUBLIC_CULTURE] and [OBJ_S_PUBLIC_PREV_HARM], clash?

¬ Or, to put it less abstract: what if pursuing the long-term goal of (vendor/community) education conflicts with the short-term goal of not contributing to people getting harmed?

¬ That's the (type of) question(s) I'd like to discuss today ;-)

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #22

www.ernw.de

Looking at the Above Example ¬ Are we supposed (or even morally obliged) to

disclose vulnerabilities in a medical device (maybe, after having tried to get in contact with the vendor several times and on several channels, without luck)?

¬ This might put patients at danger (and the devices possibly can’t be patched anyway, for regulatory reasons).

¬ On the other hand: whom does it help if we just sit on the information?

¬ Should we try to go through other channels? If so, which ones? etc.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #23

www.ernw.de

Ethics Committee @ ERNW ¬ We established an ethics committee about

two years ago not least in order to resolve this type of

dilemmas.

¬ It can be consulted by every member and it is entitled to provide a recommendation

considered binding for everybody, including management.

¬ Still we keep thinking there might be better/more suitable ways of vulnerability handling (and there’s probably several other researchers facing the same type of questions).

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #24

www.ernw.de

Alternatives [I] These include:

¬ don’t do anything with vulnerabilities we discover and “just sit on them”, maybe for a certain period of time imposed by some

governing rules we have to come up with, maybe “indefinitely”.

¬ go full disclosure.

¬ go through a broker (which saves energy & time, too) furthermore this could bring in money to be used for

additional Troopers student invitations, the Troopers charity fund or just some more nice equipment for the lab.

I’m sure the guys would come up with plenty of ideas….

What could alternatives look like?

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #25

www.ernw.de

Alternatives [II] ¬ only report to vendor once there’s a bug bounty program (alternatively “drop 0day” as our old buddy Michael

Ossmann suggested).

¬ perform full disclosure and combine it with going through media/the press (again this could save energy & time and it might even

increase the reach, hence subsequently contribute to the objective of “public education).

¬ hand over everything to something like a “national clearing house”.

¬ something else…

What could alternatives look like?

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #26

www.ernw.de

Preliminary Conclusion ¬ For the moment we don’t find any of those

particularly consistent with the overall objectives.

¬ Still we sense we have to develop an adapted approach to vulnerability disclosure, for the reasons outlined above.

¬ It’s just: what could that new approach look like?

¬ We’re happy to receive any type of feedback. If nothing else we’re happy to contribute to the ongoing (and, from some perspective, overdue) debate of vulnerability disclosure and ethics of our field.

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #27

www.ernw.de

There’s never enough time…

THANK YOU… ...for yours!

Slides:https://www.insinuator.net

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #28

www.ernw.de

Questions?

¬ You can reach us at: erey@ernw.de, www.ernw.de

¬ Our blog: www.insinuator.net

¬ Follow me at: @Enno_Insinuator

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #29

www.ernw.de

REGISTRATION almost OPEN: www.troopers.de

There are few things to know about TROOPERS:

March,14 -18. 2016Heidelberg, GermanyMake the world a safer place.

DATE: PLACE:

MISSION:

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #30

www.ernw.de

The Archive¬ Feel the spirit – TROOPERS15 Trailer:

https://www.youtube.com/watch?v=A9zWD7ZVAGI

¬ TROOPERS15 Talks: Videos:

https://www.youtube.com/playlist?list=PL1eoQr97VfJkfckz9nZFR7tZoBkjij23f

Slides: https://www.troopers.de/archives/

¬ We hope to see you in 2016!

Jeff Gough at TROOPERS13

Blog: Conference:

08/21/15 ACM SigComm2015 - Workshop on Ethics in Networked Systems Research #31